Bug#576347: Macro mDNS doesnt work for shorewall6

Vincent Smeets Sat, 03 Apr 2010 09:53:03 -0700

Package: shorewall6
Version: 4.4.7.4-2
Severity: normal

Hello,


I have set up the following basic configuration for shorewall6:

        r...@pc-vincent:/etc/shorewall6# grep -v '#' zones interfaces hosts 
policy rules

zones:
        fw        firewall        -               -                       -
        net       ipv6            -               -                       -
        loc:net   ipv6            -               -                       -

interfaces:
        net  eth0            detect          dhcp,nosmurfs,tcpflags

hosts:
        loc       eth0:<fe80::216:17ff:fe6b:8a4f/128>     -

policy:
        $FW      all     ACCEPT
        loc      all     REJECT          info
        net      all     DROP            info
        all      all     REJECT          info

rules:
        SECTION NEW
        SMB(ACCEPT)       loc             $FW
        SSH(ACCEPT)       loc             $FW

This configuration works but gives the following message:

        [ 2482.278141] Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC= 
SRC=fe80:0000:0000:0000:0216:17ff:fe6b:8a4f 
DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=143 TC=0 HOPLIMIT=255 FLOWLBL=0 
PROTO=UDP SPT=5353 DPT=5353 LEN=103

I found out that the port 5353 is that of the mDNS service. After adding the
rule:

        mDNS(ACCEPT)      loc             $FW

to the file /etc/shorewall6/rules and restarting, I get the following error
message in /var/log/shorewall6-init.log:

        18:09:51 Compiling MAC Filtration -- Phase 1...
        18:09:51 Compiling /etc/shorewall6/rules...
        18:09:51 ..Expanding Macro /usr/share/shorewall/macro.mDNS...

The log file doesn't show any error message after that last line and
shorewall6 isn't starting.

I have the same macro in my shorewall (ipv4) rules file and it works there
without any problems. I suspect that the problem is that the macro uses some
IPv4 (multicast-)addresses. Can it be that shorewall6 doesn't parse these
IPv4 addresses correctly? I think there should be an IPv6 version of the macro
mDNS.


Regards,
Vincent Smeets


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages shorewall6 depends on:
ii  debconf [debconf-2.0]         1.5.28     Debian configuration management sy
ii  iproute                       20100224-3 networking and traffic control too
ii  iptables                      1.4.6-2    administration tools for packet fi
ii  shorewall                     4.4.7.5-1  Shoreline Firewall, netfilter conf

shorewall6 recommends no packages.

Versions of packages shorewall6 suggests:
ii  linux-image-2.6.32-3-amd64 [l 2.6.32-9   Linux 2.6.32 for 64-bit PCs
ii  make                          3.81-7     An utility for Directing compilati
ii  shorewall-doc                 4.4.7-1    documentation for Shoreline Firewa

-- debconf information:
  shorewall6/major_release:
  shorewall6/dont_restart:
  shorewall6/invalid_config:



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#576347: Macro mDNS doesnt work for shorewall6

Reply via email to